Re: Making forward progress

From: Stephen Smalley (sdsat_private)
Date: Fri Aug 03 2001 - 10:50:11 PDT

  • Next message: Stephen Smalley: "Problems with some of the current hooks"

    On Fri, 3 Aug 2001 Valdis.Kletnieksat_private wrote:
    > Is all the information needed available in the VFS layer, or do we need
    > to capture metadata at the NFSv4 layer as well, to do it right?  Or
    > should we just make sure to coordinate with the NFSv4 team to ensure that
    > they keep the info we need around?
    Not having looked at the NFSv4 protocol or implementation (other
    than sitting in on a talk at OLS), I don't know.  While
    at the NSA, I previously implemented support for flexible 
    nondiscretionary access controls for NFS (v2 and v3) in the DTOS
    prototype, a predecessor of SELinux, and I did write up a design for
    adding such support to the original SELinux prototype a while back.  But
    that was based on the assumption that I could make fairly invasive changes
    (while keeping backwards compatibility for ordinary NFS clients and
    servers).  NAI Labs/TIS (not me) did an implementation of support for DTE
    in NFS a while back which wasn't very invasive, and I think others have
    experimented with DTE NFS implementations that try to be minimal
    in their invasiveness.  We plan on investigating full NFS support
    for SELinux at some point in the future, but I don't think that LSM
    has to fully address it in its initial version.
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 10:52:52 PDT